D-Link DIR-825 and DIR-825R OS Command Injection Vulnerability in NTP Service

A critical OS command injection vulnerability has been identified in the D-Link DIR-825 and DIR-825R routers, specifically in the NTP service component. This issue arises in firmware version 1.0.5 for the DIR-825 and version 4.5.1 for the DIR-825R. The vulnerability is located in the 'handler_update_system_time' function within the 'libdeuteron_modules.so' file. The flaw allows authenticated attackers to inject malicious commands by unsanitized NTP server addresses, potentially leading to remote code execution as root. This vulnerability affects products that are no longer supported by the maintainer.

Impact

Exploitation of this vulnerability allows for OS command injection, with the potential for remote code execution as the root user.

Reproduction

To reproduce this vulnerability, an authenticated attacker can access the router's web interface and navigate to the NTP server configuration endpoint. Once there, the attacker can input a malicious NTP server address containing shell metacharacters into the 'Device.Services.NTP.Servers.X.address' configuration path. The injected command will be executed with root privileges, achieving remote code execution.